Attacks multiply as hackers target unpatched IE flaw

Hackers were moving rapidly toward widespread distribution of an exploit for a previously unknown vulnerability in Internet Explorer that awaits a patch from Microsoft, security experts say.

[Internet Explorer zero-day attackers linked to Bit9 hackers]

Since Microsoft acknowledged the critical vulnerability nearly two weeks ago, the number of hacker-led campaigns targeting corporate networks have increased steadily. Experts agree that an exploit for the flaw will soon be packaged in popular malware development kits available online in the criminal underground.

Indeed, Rapid7 reported Monday that a module for the IE exploit has been added to its popular Metasploit tool used by penetration testers to check software for vulnerabilities.

Adding the exploit to Metasploit is an indication of how the vulnerability has become “truly public knowledge,” according to Patrick Thomas, security consultant for Neohapsis. The module can only be tested on IE9 on Windows 7 SP1 with either Office 2007 or Office 2010.

“We do not believe it will be long before we see widespread distribution of the exploit,” Alex Watson, director of security research for Websense, said.

“The criminals are attempting to use this vulnerability as fast as they can; before Microsoft patches the exploit in a regular Patch Tuesday, or perhaps in an out of band patch.”

Microsoft is scheduled to distribute its monthly patch release Oct. 8. Because the software maker has released a temporary fix for the flaw affecting all versions of IE, experts do not expect a permanent fix until the upcoming release.

The temporary Band-Aid is 32-bit only, making it useless to organizations running 64-bit Windows operating systems.

Meanwhile, FireEye reported Monday at least three more advance persistent threat (APT) campaigns targeting the IE vulnerability. While the attackers were using the same exploit, they represented three separate groups.

One group FireEye called Web2Crew was coding the exploit into Poison Ivy, a remote access Trojan that has been popular for almost a decade. The RAT has been used in high-profile attacks in the past, such as the 2011 RSA breach that compromised its SecureID authentication token.

FireEye reported finding the latest exploit hosted on a server in Taiwan. The target appeared to be a financial institution that had been targeted in previously reported campaigns.

The second group of hackers dubbed Taidoor were using malware of the same name, which was found in a compromised Taiwanese government website. The same site had been used in a separate APT attack reported earlier.

The Taidoor group was targeting the same financial services firm as Web2Crew, FireEye said.

The third APT campaign was the work of a group called th3bug, first discovered in 2009, FireEye said. The hackers use the Poison Ivy RAT and typically target higher education and the healthcare industry.

The three APT attacks were launched last week, a reflection of how quickly cybercriminals are moving to take advantage of the time before Microsoft issues a patch.

Microsoft encouraged customers Monday to apply its temporary fix “to help ensure they are protected as we continue work on a security update.”

“There are reports of a limited number of targeted attacks and customers who have installed the Fix It are not at risk from this issue,” the company said in a statement.

Websense estimates that nearly 70 percent of Windows business users are open to attack by hackers using the latest IE exploit. While all versions of the browser are affected, cybercriminals seem focused primarily on IE versions 8 and 9 on Windows 7 and XP operating systems.

FireEye reported last week finding an APT campaign it dubbed Operation DeputyDog that was using the IE exploit against manufacturers, government entities and media organizations in Japan. The attackers were linked to the same group of Chinese hackers who stole the code-signing certificates for the Bit9 security platform, disclosed in February.

Meanwhile, security vendor AlienVault reported last week finding exploits for the IE flaw on a subdomain of Taiwan’s Government e-Procurement System. The attackers were using JavaScript code to redirect first-time visitors to the main webpage to an exploit page.

While most of the exploits have been discovered since Microsoft acknowledged the flaw, Websense reported last week finding an exploit that had been targeting Japanese financial firms as far back as July 1.

The exploit was found on the site of a “potential victim organization in Taiwan,” the security vendor said. The finding indicated some hackers were aware of the IE flaw longer than previously thought.